New Proof Methods for Attribute-Based Encryption: Achieving Full - - PowerPoint PPT Presentation

▶

Apr 06, 2024 132 likes •345 views

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

SLIDE 1

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques

Allison Lewko Brent Waters

SLIDE 2

Roots of Attribute-Based Encryption

Moving beyond Public Key Encryption: Identity-based Encryption [S84,BF01,C01] Hierarchical Identity-based Encryption [HL02,GS02] Attribute-based Encryption [SW05]

Alice

“Bob” “Bob”

Bob

CEO Manager 1 Manager 2 employee employee Encrypt to Individual + superiors Encrypt to “users with hats”

SLIDE 3

Two Kinds of ABE

Ciphertext Policy ABE: Key Policy ABE:

(A Ç B) Æ C (A Ç B) Æ C {A, C} {A, C}

SLIDE 4

Security Goal for ABE

Challenger Attacker

Public Params

MSK

S1 S1 S2 S2

Si : set of attributes

M0, M1, Policy Enc(Mb, PP, policy)

Repeat Repeat

SLIDE 5

Proof Challenges

Hard problem ABE attacker Simulator Hard problem ABE breaks ABE Challenge: simulator must:

respond to key requests
leverage attacker’s success on challenge



SLIDE 6

Partitioning Proofs

Previous approach – Partitioning [BF01, BB04, W05, GPSW06] Key Space

Can’t Make Keys Simulator Can Make

We Need:

Key Request Key Request Challenge Key Request Abort Challenge Abort

SLIDE 7

Problem: Why Should Attacker Respect the Partition?

Two Approaches:

1. Make Attacker Commit

(weaker) selective security

2. Guess and quit when wrong

HA!

SLIDE 8

Selectively Secure ABE [GPSW06, W11]

Selectively Secure KP-ABE [GPSW06]: Simulator Attribute set S

Satisfied by S Formulas NOT satisfied by S

Public Parameters

SLIDE 9

Selectively Secure ABE [GPSW06, W11]

Selectively Secure CP-ABE [W11]: Simulator Access Policy P

Satisfying P Sets NOT satisfying P

Public Parameters

SLIDE 10

Dual System Encryption [W09]

Normal Semi-Functional Normal

Used in real system

  

SLIDE 11

A Dual System Encryption Proof

Not Compatible!

Real Security Game: Hybrid Argument:

Incompatiblity of key/CT High probability decryption failure Decryption failure Message independent CT

Regardless of Compability! Hardest step previously done With info-theoretic argument

Efficiency drawbacks

SLIDE 12

Dual System Encryption Reimagined

Semi-functional Space Normal Space Public Parameters

Decompose: Normal Component Semi-functional component Separated from PP

Parameters in S.F. Space “delayed” until first semi-functional

bject appears!

SLIDE 13

The Security Game in S.F. Space

Attacker Challenger Public Params Si : sets of attributes S1

Repeat

M0, M1, policy Enc(Mb, PP, policy)

Repeat

PP in S.F. Space

SLIDE 14

Dividing the Proof: Two Cases

Thought experiment: consider attacker requesting one key (generalize to many keys via hybrid argument) Case 1: CT request comes before key attacker challenger Access Policy P

Satisfying P Sets NOT satisfying P

Like selective CP-ABE!

Semi-functional space

SLIDE 15

Dividing the Proof: Two Cases

Thought experiment: consider attacker requesting one key (generalize to many keys via hybrid argument) Case 2: key request comes before CT attacker challenger Set S

Satisfied by S Formulas NOT satisfied by S

Like selective KP-ABE!

Semi-functional space

SLIDE 16

Proof Schematic

CT Key 1 Key 2 Key 3 Key 4 Key 5 Key 6 Timeline of Game ->

Expand into S.F. Space

Expand into S.F. Space Partitioning proof Partitioning proof

Erase Message

SLIDE 17

Summary of Techniques

Selective security proof for CP-ABE Selective security proof for KP-ABE Dual System Encryption

Fully Secure ABE

SLIDE 18

Open Problems

Selectively secure CP-ABE from a non-“q-type”

assumption

ABE for more general policies (ideally, circuits)
Progress to be reported later in this session

SLIDE 19

Thanks for your attention!

Questions?